Ransomware: The Trend That Never Goes out of fashion

 

Earlier this month, the data breach affecting Quest Analysis, LabCorp, and Opko was introduced, stemming from an incident brought on by the collections vendor, American Healthcare Collection Agency (AMCA). Now, the amount of individuals who had their medical and personal data compromised by the incident has surpass 20 million, bringing up major problems of medical identity theft for all those affected.

 

So what can you do to help prevent medical identification theft?

 

Request access to your professional medical records. It is your own right under the Health Insurance Portability plus Accountability Act (HIPAA) to gain entry to your medical records. You should get within the habit of reviewing your healthcare records to look for any errors within your chart that could indicate something might be wrong.

 

In case you detect errors in your medical information, report them immediately. If by chance you do discover an error in your medical records, you need to waste no time in reporting the particular error to your health insurer. The particular fraud department should be able to assist you using the next steps. In addition , report the particular fraud to the Federal Trade Commission rate (FTC) by filing an identification theft report.

 

Verify the security of your information. You should be aware of how your suppliers are protecting your medical details. Do not hesitate to ask questions about how exactly your data is being protected. If your information are being cared for the way they should be, simply no practice or organization should experience uncomfortable answering that question.

 

Only give out the particular minimum. Don’t offer unnecessary information to healthcare companies, pharmacies, etc . If the information is just not required, it is best not to share this.

 

Protect your own medical information. In case you deem it appropriate to share your details with a medical provider or another party, learn why they need that information, the actual plan on doing with that information, plus who they will share it along with. Remember, it’s not a bad thing to provide out the minimum in this circumstance.

 

Check hyperlinks. Always check that any kind of website you’re accessing is secure; this consists of a patient portal. Secure websites must have “https” at the beginning of the URL.

 

Use caution when getting rid of your medical records. Never just toss your healthcare records out with the trash. In the event that any of your personal information is contained in writing, shred that information prior to grasp.

 

While being involved with a data breach is often away from our hands, such as the Quest Analysis, LabCorp, and Opko breach, getting precautions and staying diligent inside monitoring your medical records will help you prevent or stop medical identification theft.

 

We previously wrote an article about the ransomware attack striking a Michigan doctor’s office, leaving their patients with no medical records and leading the practice to closure. This article is intended to provide professional insight into the liability of the practice despite its decision to close its doors.

The following blog was written by Matthew Fisher, Chair of Health Law Group and a Partner at the law firm of Mirick O’Connell where Matt focuses on guiding practices and companies through the labyrinth of healthcare regulations.

A two physician practice in Michigan recently drew significant attention for deciding to unexpectedly close after losing all of its patient and billing records.  In brief, the practice suffered a ransomware attack that blocked access to all files.  The attackers demanded a ransom of $6,500 to restore access.  The physicians refused to pay the ransom (a response that in isolation is not a bad one).  The publicly stated reason for not paying is that the physicians could not receive a guarantee that the attackers would actually restore access.  When the ransom was not paid the attackers deleted all of the files.

The expected next step would be for the practice to pull out one of hopefully many backups, restore all files up to the point of the backup, and then continue on its way.  Since this particular practice made the headlines, that usual course outcome did not happen.  In this particular instance, the physician practice did not have a backup (or at least none that has been reported) and declared that all of its files were lost.  As a result of not having any files and not wanting to take the time to restore the practice, the physicians provided roughly thirty days notice of the practice shutting down entirely.

Will closure of the practice be the end of the story?  Unfortunately, the physicians likely may only hope that closure ends the entire story.  In all likelihood, this practice could help set precedent for future claims in the event of a catastrophic outcome from a ransomware attack.

Finding one silver lining may be a good way to approach the assessment of potential liability.  Instead of shutting down immediately, as noted above, the practice provided slightly over thirty days advance notice of the closure.  Giving patients thirty days to find a new physician is consistent with the suggested course of action contained in model ethical guidelines.  The ethical guidelines look to provide a patient with sufficient or reasonable time to transition and that the physician terminating the relationship continue to provide care during the transition period.  The thirty days here may be enough for that to happen.

Now for the potential liabilities.  If all records have been lost, then the practice will clearly not be able to respond to any patient’s request for access under HIPAA.  Failure to respond to a request for access is one of, if not the, most common types of non-compliance with HIPAA.  When access is denied, many individuals will submit a complaint to the Office for Civil Rights.  In this case, the entire patient population of the practice could theoretically submit such a complaint.  Given the total breakdown, could the loss of all records be the spur for OCR to issue the first fine for a denial of access?  It is possible, especially since OCR has used settlements in the past to provide lessons about key issues of HIPAA compliance.  For example, OCR could point not only to the need to fully respond to a request for access, but fault the practice for not having a disaster recovery and backup plan, and very likely for not having done a risk analysis.

A second area of potential is malpractice related claims.  A patient could assert an adverse outcome from a procedure or service and the physicians would be without records to defend against the claim.  Malpractice claims can rely heavily upon pouring through medical records to piece together exactly how care was provided and to assess the quality of care provided by the physician(s) who are the subject of the claim.  If no records exist, then how can services be assessed?  Unless some supporting records could be found from another facility, it could leave the physicians severely handicapped in their ability to produce any sort of defense.

A third potential liability could arise from claims brought by patients in repeat care is not covered by insurance and/or a patient is forced to pay out of pocket due to being in a deductible range.  Since all of the records are gone, tests will very likely need to be repeated to obtain relevant and needed information.  While the practice may not have the records, each patient’s health insurance company will certainly have a record of a claim being submitted for the service and in all probability the claim being paid.  While the health insurance company may be made aware of the record loss, a natural response from insurance would be that it will not cover the service again because it will then be forced to pay for the failure of the physician practice.  Alternatively, even if insurance is willing to cover the service again, a patient could have a high deductible health plan or other form of coverage where that patient will need to pay out of pocket for the service.  In either scenario, whoever pays for the service could look to the physicians who lost the records and seek to make them pay for the unnecessary repetitive services.  The argument would flow that the loss of records was the direct cause of the repeat service being needed and that any financial harm should fall on the causative actor.

While those are only three potential liabilities, each possibility could easily occur.  A natural response could be for the physicians to seek liability insurance carriers for the practice to cover any damages.  Without being able to get into the exact specifics of the case, the insurance carriers could seek to deny coverage.  If the practice was negligent in protecting its records, was not fully accurate in filling out an insurance application, or took other steps not called for by the insurance policy, then coverage could be denied.  As such, the physicians could easily be fully on the hook for any resulting damages.

While no data breach is good, when extreme outlier cases arise the outcomes become even worse.  While it is too late for the particular practice in Michigan to change the outcome, the total loss of data should be a wake up call to other practices and organizations that good, comprehensive security is essential.

 

Metrocare Services, a mental health service provider in North Texas, has notified the Department of Health & Human Services (HHS) of a data breach affecting 5,290 patients.

The Breach Discovery

The breach was the result of a phishing attack and was discovered on February 6, 2019, when Metrocare found that an unauthorized third-party accessed some of their employees’ email accounts. According to Metrocare, immediately after learning of the breach, the affected email accounts were secured, and an investigation was launched.  The investigation found that the compromised email addresses were first accessed in January 2019.

Potentially Accessed Information

The investigation revealed that some patient data was in the affected email accounts, including individuals’ names, dates of birth, driver’s license information, health insurance information, health information related to services received at Metrocare, as well as some Social Security numbers.

Patient notification began on April 5, 2019. At this time, Metrocare does not have reason to believe that any of the affected patient information has been misused as a result of the incident. Those individuals who may have had their Social Security numbers exposed are eligible for one year of complimentary identify protection and credit monitoring.

In their notice, Metrocare writes:

We regret any inconvenience or concern this incident may cause our community. To help prevent something like this from happening in the future, we are taking steps to add additional security measures to our current information technology infrastructure, including strengthening the security of our e-mail system and have implemented multi-factor authentication on its system systems.

Not Their First Offense

What sounds like a sincere apology to the community regarding the incident may not be taken as such. This data breach was reported just 5 months after Metrocare reported a previous breach in November 2018. Even worse, this breach was almost identical to the previous, a phishing attack that compromised the PHI of 1,800 patients.

Following the November phishing attack, Metrocare stated they would be strengthening their security measures, including their email system and providing additional training to their employees.

Considering they encountered a very similar breach just months after their first one, it is clear that whatever security/training may have been implemented was not enough. Multi-factor authentication had not been enabled following the first attack, which could have very likely prevented the second from occurring.

The November phishing attack on Metrocare does not have a closing listed on HHS’ public breach website, meaning that first attack may still be under investigation.

 

 

The Department associated with Health and Human Services’ (HHS) Workplace for Civil Rights (OCR) provides announced a settlement with Touchstone Healthcare Imaging (“Touchstone”) for their potential infractions of HIPAA Security and Infringement Notification Rules. Touchstone has decided to pay $3, 000, 000 plus adopt a corrective action plan.

 

Touchstone is a diagnostic healthcare imaging services company based in Franklin, Tennessee, and provides services in Nebraska, Texas, Colorado, Florida, and Illinois.

 

The Infringement

 

In May 2014, Touchstone was informed by the F and OCR that one of its FILE TRANSFER PROTOCOL servers was giving uncontrolled, illegal access to protected health information (PHI). This particular uncontrolled access allowed files to become indexed by search engines, meaning a good unauthorized individual could access another’s PHI simply by performing an Internet lookup.

 

Initially, Touchstone stated that there was no PHI orient by the uncontrolled server. The story transformed during OCR’s investigation, when Touchstone ultimately admitted that the PHI associated with over 300, 000 patients is at fact, exposed. The information involved in the publicity includes names, birth dates, interpersonal security numbers, and addresses.

 

Even after the notice had been issued to Touchstone and the machine was taken offline, PHI continued to be visible on the Internet.

 

The Investigation

 

OCR found that Touchstone is at violation of multiple HIPAA guidelines. Following the breach notice issued by FBI and OCR, Touchstone failed to conduct a thorough investigation of the infringement for several months. Not only did the particular delayed investigation of the breach break HIPAA, but also resulted in delayed infringement notifications for the affected individuals as well as a postpone in notifying the media – both additional HIPAA violations.

 

Further investigation revealed that will Touchstone had also failed to carry out an accurate and thorough risk evaluation of its organization, a critical component inside identifying potential risks to the privacy, integrity, and availability of electronic PHI (ePHI) – and the violations do not stop there.

 

OCR identified two situations where Touchstone failed to have Business Associate Contracts in place with their vendors – which includes their IT support and a third-party data center, another HIPAA infringement.

 

The Arrangement

 

The arrangement of $3 million dollars is not the only action that needs to be taken by Touchstone. In addition to the monetary settlement, a robust further action plan must be adopted to address their particular HIPAA compliance deficiencies, including undertaking business associate agreements, completing a good enterprise-wide risk analysis, and implementing HIPAA policies and procedures.

 

Although the number of HIPAA infractions associated with this breach is intensive, all serve as an important reminder from the requirements under HIPAA that can not be ignored. Performing a risk evaluation, having Business Associate Agreements in position for the entire duration of a vendor agreement, implementing and enforcing policies plus procedures, ensuring technical safeguards have been in place, and training employees upon HIPAA and security awareness are simply a few key pieces of HIPAA conformity that should be addressed and evaluated regularly.

 

In addition , this situation highlights the necessity of taking quick action following a breach. Had Touchstone started their corrective action initiatives immediately following their notification from the F and OCR, several violations might have been avoided – the violations related to delayed breach notifications specifically.Illinois

 

 

Hello, HIPAA

 

The Health Insurance Portability and Accountability Act, better know as HIPAA, was passed by Congress in 1996 and called for the protection and confidential handling of protected health information (PHI). HIPAA still exists today, aiming to protect patients and their information, but it’s important to think about how far we’ve can be found in the ways we handle patient data since its enactment.

 

Look how far we’ve come

 

Look at this, the first iPhone was introduced in 2007; that’s 11 years following the introduction of HIPAA. This highlights the significant technological advancements our country has seen over the last over 20 years. We’re now living in an electronic world. Not only has that built an impact on our personal lives, but additionally how organizations are able to conduct company. From financial institutions to medical procedures, technology has brought new opportunities, plus obstacles.

 

When HIPAA was created, a patient’s PHI has been stored in a chart, on paper. There was clearly no worrying about a hacker coming into the network and stealing their particular information. Nobody heard of phishing or even ransomware.

 

Today, twenty three years after HIPAA made the debut, it is far more common to find out electronic protected health information (ePHI) compared to it is to see paper records. We now have had tremendous advancements in individual care and treatment, which has resulted in new challenges for the protection plus confidential handling of PHI.

 

Holes in HIPAA

 

While there were some tweaks to HIPAA such as the Omnibus Rule in 2013, with a large part, HIPAA has not observed much change since its launch. With the vast changes to the way we access and handle patient information, there is no denying the significant openings in the HIPAA rule and the requirement for a major update.

 

Compliance is non-negotiable

 

One thing that has not really changed since 1996 – HIPAA compliance is here, and it is not optionally available. In fact , it’s arguably more important than in the past to have your HIPAA compliance system in order. With the healthcare industry getting favored by cybercriminals, human error accounting for most data breaches, the ease in filing a complaint against an organization, and more, your compliance program could come under review at any time – and you must be ready.

 

What triggers an audit?

 

The Office for Civil Rights (OCR), is the department responsible for enforcing HIPAA. It seems there is a common misconception that audits by the OCR happen at random when the department decides to “pop in” on organizations to be sure of their compliance state. The reality is, the OCR is not staffed to audit organizations without just cause, meaning when an audit occurs, something triggered it.

 

Common audit triggers

 

 

    • Patient complaints – Patients could file complaints for any number of reasons. Maybe a patient was denied use of their records, or perhaps they saw a picture on social media with their medical chart in the background.

 

    • Employee complaints – Often times, disgruntled employees might file a complaint following termination of employment, but that’s not at all times the case. If an employee feels there has been wrongdoing, they could certainly file a complaint.

 

    • Employee mistakes – Employee mistakes or human error account for many audits. An employee falling for a phishing email, using weak passwords, and sending someone the incorrect records are all examples of human errors.

 

    • Insider wrongdoing – Sometimes employees violate company policies maliciously, and other times they may just be curious. Employees could steal patient records for personal gain or could peek at a patient’s records because they’re curious about their visit.

 

    • Third-party mistakes – Mistakes the effect of a Business Associate (BA) could also cause an investigation of your organization. If your (BA) suffers a data breach, you may be audited as well.

 

    • Security incident – Common security incidents include lost or stolen devices, specially those devices that are unencrypted, in addition to unpatched software that led to malware or ransomware exploits.

 

 

Many times, whatever triggered the audit, to begin with, is not the biggest problem or finding by the OCR. This is why having your HIPAA compliance program in order and continuously working towards your compliance is critical.

 

Bring on the questions

 

When a Covered Entity or Business Associate suffers a security incident, it needs to be reported, and once that happens, questions may start arising. Why didn’t you’ve got a password on your Wi-Fi? Why was your server unlocked and underneath your reception desk? Aren’t your employees trained on how to spot a phishing email? Didn’t you have a policy in place for what’s permitted utilization of a workstation? Why didn’t there is a Business Associate Agreement with your transcription service?

 

These are just a couple of questions that could be posed by an auditor – but that’s just the beginning of what they will ask of you.

 

Just what will OCR look for in an audit?

 

What OCR may be looking for in an audit situation will vary, dependent on what triggered the audit in the first place. Below are some common things that your organization could expect to show an auditor in the event of an audit, which, are key components of a HIPAA compliance program.

 

 

    • Security Risk Assessment – An absolutely critical part of your compliance program. The Security Risk Assessment (also referred to as the SRA, or Risk of security Analysis) will look for gaps in your organization’s administrative, physical and technical safeguards that could pose a risk for protected health information (PHI). You must have documented proof of your SRA.

 

    • Remediation/Risk Management Plan – Once you’ve conducted your SRA, you’ll need to have a process in place to start addressing your deficiencies, often referred to as a Risk Management Plan. This plan should cover how you plan to remediate most of the security gaps discovered in your SRA.

 

    • Policies & Procedures – Not only does your organization need to have policies and procedures in place, but you also must ensure that employees understand those policies and have signed off to them. Employees can’t be expected to follow the principles if they are unaware of them, and the documented proof that they acknowledged the policies is vital in the event of a security incident.

 

    • Security Officer – Every organization needs to have an appointed Security Officer. This individual is responsible for ensuring policies and procedures are created, understood by all employees of the organization, and acknowledged by them with documented proof. The Security Officer should also ensure employees are trained on HIPAA routinely.

 

    • Routine HIPAA Training – Not only is HIPAA training a requirement, but it is also necessary to decrease the chances of an employee-error. HIPAA and cybersecurity awareness training should be conducted routinely so employees are kept updated on the latest threats, and also to keep security best practices top of mind.

 

    • Business Associate Agreements – You must have a Business Associate Agreement (BAA) with any and all vendors that handle your patient data. A data breach caused by a Business Associate will even affect your organization, so make sure you will work with vendors who take HIPAA compliance seriously.

 

 

Proof of network vulnerability scans, penetration tests, and breach notification (in the event of a breach) may also be common requests by the OCR.

 

The bottom line

 

It’s safe to say that in this digital age, HIPAA could use a refresh, but despite its flaws, your adherence to it is not up for discussion. An audit could be set off by anyone, at any time. If you had a complaint filed against you tomorrow, would you be confident in your compliance state? If you can’t answer yes, it’s best to get to work – before it’s too late.

 

 

Ransomware is not a new kind of cyber-attack. In fact , it’s been around for a long time, but don’t let its age group fool you; ransomware is not “yesterday’s news”. Ransomware is just as alive like ever before, continuing to dominate sectors across the globe, and healthcare is not immune system from its threat.

 

You might be familiar with some of the more prominent ransomware attacks that made headlines during the last few years. Perhaps you’ve heard of Petya, a form of malware that affected a large number of computers across the globe in 2016 plus 2017. Then there was WannaCry ransomware, the infamous ransomware that required the world by storm in 2017. Let’s take a closer look at the WannaCry outbreak that caused chaos plus damage for many organizations.

 

The WannaCry Epidemic

 

WannaCry hit many organizations worldwide but possibly gained its notoriety by hitting several significant, high-profile systems, including Britain’s National Health Service as well as the United Kingdom’s National Health Provider (NHS). WannaCry showed just how harmful (and inconvenient) ransomware can be. Hostipal wards had to cancel operations and check ups, relocate patients, revert to pen and paper, and more.

 

Some businesses were hit harder than others by the attacks, like Erie County Medical Center who lost access to 6, 000 computers, forcing them to do their processes manually. Recovery costs for the infirmary reached $10 million.

 

Could It Have Been Prevented?

 

Microsoft actually released a patch had a need to prevent WannaCry infections BEFORE the attacks began. Unfortunately, despite the patch being deemed “critical”, many systems weren’t patched, leaving them vulnerable when WannaCry began sweeping the globe. Infected systems left their organizations with two choices: pay the ransom (and potentially still not regain access to your data) or recall your files from a backup.

 

This serves as a very important tip of two things:

 

 

    • ALWAYS ensure your systems are unquestionably patched and kept up to date

 

    • Backup your files inevitably

 

 

Ransomware Today

 

Fast forward to 2018-2019 – ransomware is still alive and doing very well. You may have heard of GandCrab, which developed surfacing in 2018. We’ve similarly seen LockerGoga, a form of ransomware who began surfacing early this year this is likely responsible for an attack on Norwegian aluminum manufacturing giant Norsk Hydro. And, in recent news, Robbinhood, pretty new variant of ransomware has demonstrated what damage it can cause, severe the city of Greenville, North Carolina in the past few months (April), and striking Baltimore state earlier this month.

 

Irrespective of what variant of ransomware we are seeing at any given time of any given for anybody who is, one thing remains the same – will be destroy your system, your data, your history, and can even close down your organization.

 

Protecting and Getting ready Your Organization

 

Health-related organizations must remain diligent for implementing and enforcing security solutions to protect against cybercrime. The worst should be to you can make is to assume you are not a meaningful target for cybercriminals – and consequently a target, from small businesses on the way to large corporations. If you access or simply store data, you have what scammers want.

 

Learn your employees. In the event that, your employees must be trained at security awareness. Not only should they are capable to spot and prevent malicious attempts while cybercriminals, they should also know how to open up if they suspect a data breach quite possibly inadvertently cause a security incident.

 

Ensure your réseau are properly segmented. If your organization would suffer a trigger, having segmented networks would make the much more difficult for the ransomware on spread across systems.

 

Patch your applications but also operating systems. If there is one specific known vulnerability, it is critical that you plot it as quickly as possible. Looking previously at WannaCry for example , had very much more organizations patched that vulnerability may well have yielded a much different results.

 

Frequently duplucate your files. Employing data backups is critical, for every data recovery and HIPAA compliance. Your current system is hit by ransomware, back up copies would provide you with access to method to prior to the intrusion. Make sure that your registers are backed up at an offsite place of business or in the cloud that way should the organization is struck by a health and safety incident or disaster, your a back up won’t go down with the rest of your main systems. You should also test your backups over and over to ensure they are not corrupted.

 

Have a disaster recovery furthermore an incident response plan. Your organization and your employees should know how to respond when a disaster and / or suspected security incident strikes. Come with these plans well documented keep in mind, not every incident will be handled exactly the same. The type of incident and the magnitude of this history incident will dictate how you respond to.

 

Cyber insurance policy is a must-have for every organization. Despite all preventative labors, breaches happen, and when they do the cost add up – quickly. HIPAA filiforme, legal counsel, breach notification, and credit worthiness monitoring are just some of the expenses chances are you’ll incur after an incident. Internet insurance can help protect you from losses with reference to data breaches or security traces.

 

While we’ve spotted several ransomware variants come and go in conjunction with chatter may seem to have silenced, don’t for one second be fooled down into thinking ransomware is dead. In case patches are issued for weaknesses and decryption tools are created for the purpose of regaining access to encrypted files, cybercriminals don’t just give up. Attackers get sophisticated and will continue to advance the company’s tactics and come out with new injuries of ransomware. Be prepared for an internet attack at any given moment which means you never know when one may find a way into your organization.

 

 

Erie County Medical Center

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!

GET YOUR FREE DARK WEB SCAN TODAY!!!

Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282